Scammers manipulate us. They enlist our human nature against us in so-called social engineering. As a group of researchers recently reported in the Wall Street Journal, the culprit in our failure to avoid falling for email and text scams is the human brain and its limitations.
To help counter that, another researcher, in conversations with IT security pros, finds non-technical ways those pros avoid falling for fakes. Our brains work for us too, sometimes when we’re not looking. So, there is bad news but also good news.
The Bad News: Our Brains at Work
In case you missed it, the efficacy of multitasking is a myth. We think we’re good multi-taskers. But studies demonstrate our brains are very bad at it. The brain must prioritize, and multiple studies have shown that trying to do two or three tasks simultaneously leads to poorer performance on all of them.
Have you ever been driving and talking with a passenger or on a hands-free phone and missed a turn? Admit it. It is hard to attend to two tasks at once. Sometimes we have to say, “Wait …” when we know an intersection or change of direction is ahead, and focus on finding the exit or the turn.
Focused on work, we sometimes miss warnings. When interrupted, we often give only half our attention and do things without thinking.
Scammers know accounts payable workers face a host of tasks under deadlines. That’s part of their sleight of hand. They don’t need a partner to distract you—your job does that. They exploit it.
The Good News: Our Intuition at Work
Dr. Rich Wash, associate professor at Michigan State University, sought to help people avoid falling victim to BEC by interviewing cybersecurity professionals about how they determine when emails are untrustworthy. What he uncovered is encouraging.
Contrary to what we might expect, it is not sophisticated technology on which cybersecurity pros rely. Instead, Wash found that they go by their intuition, honed by experience to protect them. Specifically, if something in an email “feels odd,” do not ignore it.
Does something seem weird? Out of place? Your experience is warning you to be alert. Listen to it.
In his best-selling book Blink, Malcolm Gladwell explores how we “think without thinking.” We use our experience and intuition to make quick decisions that we might not even be able to explain. But our “instinct” is often correct because our knowledge and experience provide us context in the background. Our brains subconsciously sift information for relevance and signal us.
When bank tellers handled most bank transactions in person, they learned to find counterfeit bills simply from their repeated exposure to genuine dollar bills. Counterfeit bills felt different. So in handing the bills, a teller would feel something different and look more closely at it.
En Garde
The lesson from the IT pros is that if you’re reading an email and something feels off, wake up. If something seems odd, it is your brain telling you to beware. The cybersecurity pros said that when something is not quite right in an email, it causes them to read more carefully, slow down and look critically. It warns them to verify.
It’s like hearing the snap of a twig behind you in the woods. It might be nothing, but you want to be sure.
“When people explain away weird things they notice in an email instead of letting those things make them feel uncomfortable,” Wash says, “they are much more susceptible to phishing.”
So, for example, if an email from a known entity looks a bit different, look closer. If there is a typo where there usually is not, slow down. If you notice the email naming convention does not match others from the same company, that indicates something is wrong. If the person’s name strikes you as odd, perhaps it is.
For example, suppose you receive an email from a Rose Harry with payment instructions. Now Rose may have written what appears to be a very ordinary email with simple enough instructions. But something about “Rose Harry” seems off. While there are people named Rose, something feels wrong. What’s wrong is that “Harry” (singular) as a last name is unusual. It could be okay, but pay attention to your sense that the last name is “off.”
In this actual case, the email turned out to be a scam. The recipient realized it before betraying any vital information or making a payment. You want to pay attention to that “funny” feeling. When you get it, look closer.
A Few More Examples
If you have never gotten an email directly from your CFO before, and suddenly you do, you think, “Wow, that’s unusual.” And it is. Verify it. Call the CFO. Do not let yourself be intimidated into making a huge mistake because you failed to confirm it!
Wash discovered that when cybersecurity experts encounter something strange or uncomfortable, they keep reading but are now on alert. Suddenly they’re not just taking in the content but are looking to verify the message.
Another example involving a best practice: You receive an email from the bank. It says there is a security issue and you must confirm your information. It urges you to click on the provided link. But any direction to click a link in the email should alert you. And it is best practice to avoid clicking the link. Instead, separately key in the company’s URL into your browser.
A link might be legitimate. But it might not. The best practice is to go to the website independently.
So, while our brains are susceptible to distraction, they also work for us in ways we might overlook. Even cybersecurity pros rely on their sense of “right” vs. “off” as an early warning system to cause them to pause and look closer before acting.
In the war against cybercriminals, knowledge through best practice training is a must, as is awareness of how the criminals try to manipulate us. But in addition, we should not ignore our natural tendency to “feel” something that is unusual. It is another vital tool to protect against cybercrime.
To find out how VendorInfo can help you avoid unnecessary emails in vendor enrollment and communication, contact us.